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Abstract — This paper presents a method of cryptographic key 
distribution using an 'artificially' noisy channel. This is an 
important development because, while it is known that a noisy 
channel can be used to generate unconditional secrecy, there are 
many circumstances in which it is not possible to have a noisy 
information exchange, such as in error corrected communication 
stacks. It is shown that two legitimate parties can simulate a 
noisy channel by adding local noise onto the communication 
and that the simulated channel has a secrecy capacity even if 
the underlying channel does not. A derivation of the secrecy 
conditions is presented along with numerical simulations of the 
channel function to show that key exchange is feasible. 

Index Terms — Cryptography, secret key agreement, public 
discussion protocols, secrecy capacity, wire-tap channel, privacy 
amplification 

I. Introduction 

A Fundamental aspect of cryptography is the ability to ex- 
change information in perfect secrecy. However, almost 
all current forms of encryption rely on computational rather 
than information theoretic security. Computationally secure 
coding uses encryption techniques for which the known hack- 
ing algorithms require lengthy calculations and they therefore 
assume that the eavesdropper has a limited computational 
capability. Information theoretic security, on the other hand, 
makes no assumptions about an eavesdroppers capability. This 
is an important distinction because the computational difficulty 
can change with advances in algorithms and increased speed 
of calculation, leading to significant cryptographic breaks. 

One solution to producing a perfectly encrypted message is 
the One Time Pad where the cryptographer has an infinite 
supply of symmetric key that is consumed as a resource 
in encrypting information. However, this creates the obvious 
problem of creating and securely distributing large amounts 
of symmetric key material. To address this problem several 
methods have been proposed for creating and agreeing on 
a perfectly secure key of arbitrary length under information 
theoretic security |1|-|8|. 

In particular, it has been shown |3j, (4j, (7), [9] that channel 
noise can be exploited to create and distribute symmetric key 
material in near perfect secrecy. The essential element is the 
use of feedback |3j, ||7|-|fTT|l, which exploits uncertainties 
in Eve's (the eavesdropper's) information, via a specially 
prepared sequence of messages, to generate random bit se- 
quences known to the communicating pair, Alice and Bob, and 
unknown to Eve. Hence, the secrecy of the channel is given 
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by the combination of information transmitted over both the 
noisy and noise-free channels. 

The noisy channel model has been studied for several 
decades now (see for example J3), |4|, |6|-[8|, flO) ) and it 
has been well established that when the mutual information 
between two distributions A and B exceeds the mutual in- 
formation between A and E (that is I(A; B) > I(A\ E)) it 
is possible to build a secret key from distributions A and B 
excluding E. Maurer [7] recognized that this condition was too 
strong and there are circumstances when I(A; B) < I(A; E) 
and/or I(A; B) < I(B: E) but secret key generation is 
still possible. In particular, feedback between Alice and Bob 
permits the generation of a sequence of messages M* = 
[Mi, M2, ■ ■ ■ , M t ] which can be used to generate A — M t A, 
B = M % B and E = M t E such that 

I(A;B)>I(A;E). 

The scenario works as follows, Alice and Bob first exchange 
symbols over the noisy channel. They then use feedback 
signals exchanged over an error-corrected channel to arrive 
at a secret key. Information Alice, Bob and Eve obtain about 
the secret key therefore comes from correlations in the signals 
and the joint information gained from the subsequent feedback 
messages. 

The conditions of feedback are therefore an important aspect 
of distilling the secret key. The feedback must be constructed 
to allow Alice and Bob to use correlations in their data to 
exclude Eve. One way for them to do this is for Alice and Bob 
to reduce the errors in a subsequent communication channel. 
There are several codings that could be used for this purpose 
p2) . As Eve has errors in her knowledge of both Alice's 
and Bob's bit sequences, the coding only gives her partial 
information and she therefore receives the signals with errors 
cascaded over either Alice's or Bob's channel (depending on 
the nature of the reconciliation). It has been shown (7J, (8), 
(T2j that this gives Alice and Bob an advantage over Eve. This 
procedure can be cascaded to align their information while 
maintaining a well defined upper limit on Eve's information. 
Moreover, knowing the upper limit on Eve's information, Alice 
and Bob can subsequently use privacy amplification (3], (10| 
to reduce Eve's information to an arbitrarily small level. 

The essential element of secret key generation is that 
the noise channel is capable of generating a sufficient and 
predictable level of uncertainty in the information received 
by Eve. Quantum key distribution (T), (2) is one way of 
ensuring a guaranteed minimum level of channel noise and it 
comes with the added benefit that the security is protected by 
the physical limitations of quantum mechanical measurement. 
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However, as noted above, any noisy communications channel 
where Alice, Bob and Eve receive noisy copies of a signal, 
is also theoretically secure when it is assumed that each party 
receives uncorrected noise. 

Hence, an implementation of any cryptographic scheme will 
be strongly dependent on the specific properties of the channel 
and all of the apparatus surrounding it, because changes to the 
detectors, source or even medium (e.g. free space or wave- 
guide) can change the noise and hence the secrecy conditions. 
Secrecy can even be removed entirely if the noise falls below a 
given threshold. Continuous variable quantum communication, 
for example, typically includes essential device calibration 
p3) . For this reason it is interesting to consider a method 
that would generate unconditional channel noise and therefore 
secrecy in key generation. 

The current paper presents a method of applying uncondi- 
tional noise to generate secrecy in a channel with no a priori 
secrecy capacity. Specifically it is found that if the signal 
is degraded locally (independent of transmission or detection 
noise) and by both Alice and Bob independently, the channel 
gains the ability to create a secret symmetric key even if it 
otherwise has no prior secrecy capacity. 

II. Secret Keys from Channel Noise 

It has been established that a noisy channel where, in 
particular, Eve and Bob both have reception errors is capable 
of secret communication while a perfect, noise-free commu- 
nication channel has zero secrecy capacity J3], Q, |6j-|[8j, 
[10 1, 1 14) . However there are many channels in where noisy 
communication is not possible, or where an unconditionally 
noisy channel is not guaranteed. In such channels we propose 
that Alice and Bob use a local noise source to create an 
artificially noisy channel, simply by adding local noise after 
the transmission (FigjTJ. Although Eve can receive a noiseless 
copy of the original data, it will now be shown that by altering 
their channel Alice and Bob have effectively simulated a 
noisy channel and can distill a correlated data set unknown 
to Eve. Alice and Bob have effectively generated a non-zero 
secrecy capacity at the expense of reducing the overall channel 
capacity. 

In the arguments that follow it is assumed that Eve can 
detect all transmissions from Alice (and Bob) with no error 
and that she receives a signal that is identical to the receiver 
at all times. This represents the best possible case for Eve. 

In this model (without loss of generality) Alice transmits a 
random number R to Bob over an otherwise noiseless channel. 
Alice, Bob and Eve then use a local true random number 
generator to generate the random number sets N A , N B and 
N E respectively, such that Eve cannot independently deduce 
the values N A or N B from her knowledge of N E and R. 
Alice and Bob and Eve use these to generate the variables 



and 
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Fig. 1 . This figure presents the communication scheme, where Alice initially 
transmits R to Bob (and Eve) over a public line. Alice and Bob (and Eve) 
then add noise to the random variable using local noise sources, N A , N B 
and N E . This results in the variables X, Y and Z for Alice, Bob and Eve 
respectively, which will be the starting point for further communication. 



respectively. Nf, Nf and Nf are random biased bits with 
probabilities P{Nf = 0) = 1-a, P{Nf = 1) = a, P(Nf = 
0) = 1 - 0, P(Nf = 1) = (where < a, P < 1 ), 
P(Nf = 0) = 1-7 and P(Nf = 1) = 7 (where < 7 < 1). 
The range of 7 expresses the fact that the value Nf could 
contain any level of noise ranging from complete uncertainty 
to being an error free reception of Ri. 

This effectively creates new binary symmetric channels 
between Alice and Bob and Alice and Eve shown in Fig. [2] 
Where the bit flip probabilities a, P and 7 are related to the 
binary symmetric error rates e and 8 via e = a + P — 2a/3 and 
5 = a + 7 — 207. Importantly both 5 > and e > even if 
7 = as long as both a > and P > 0. 

It is worth noting that Eve might tamper with the initial 
transmission of R, which effectively amounts to creating a 
new variable T u where P(T t = 0) = 1 - r, P(T; = 1) = r. 
This would lead to Bob receiving a new variable Y- = Yi®Ti. 
This has the same effect as transmission noise and may make 
key agreement between Alice and Bob more difficult, but it 
is not impossible as long as I(Y;Y') ^ ^ I(X;Y') (7J. 
Tampering is considered in more detail below. 




Fig. 2. The transmission line model presented in figure^ in which Alice 
transmits a signal to Bob over an error free channel with local degradation 
of the data, can be rewritten as a series of binary symmetric channels linking 
Alice and Bob and Alice and Eve, where e = a+/3— 2a/3 is the convolution of 
local noise between Alice and Bob and 8 = a + 7 — 2ccy is the convolution 
of local noise between Alice and Eve, with a, f} and 7 as local bit flip 
probabilities (defined in the text). 

It is therefore proposed that for a > 0, P > and 
7 > a channel has been created with a capacity for secrecy, 
irrespective of the properties of the underlying channel. This is 
a new condition introduced in this paper that does not match 
the conditions established previously (7)-||9j- It is therefore 
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not immediately clear that a protocol can even be constructed 
with the capacity for secrecy. The secrecy proof is re-visited 
in the following proposition. 

Proposition 1: For the binary distribution X, Y and Z 
given by the conditions in equations [T] [2] and [3] and assuming 
a = j3, the proposition is that for any 7 > a coding sequence 
exists such that variables X, Y and Z can be derived from X, 
Y, and Z such that the channel has a positive secrecy capacity. 

Proof: Alice and Bob open a virtual channel where 
Alice encodes a random number, C, using a simple encoding 
of sending an A^-fold repeated message (7) encrypted using 
N-bits from X via [X, © C,X i+1 © C, . . . ,X i+N _ x © C]. 
Bob calculates the sequence C using the sequence Y via 
[Xi © C © Y i} X i+1 © C © Y i+1 , X i+N _! © C © Y i+N _ x ] 
and accepts the value of C only when he has obtained the 
vectors [0, 0, . . . , 0] or [1, 1, .... 1]. This encoding therefore 
creates a new binary symmetric channel between Alice and 
Bob with error probability, e/y, given by 



Pi 



Correct 



Error 



(l-e) w + e 



(4) 



where Pettot is the probability that the bit calculated by 
Bob is not equal to the bit encoded by Alice and Pcorrect is 
the probability that the two are equal. Eve can also calculate 
'C using her variables [Zi, Zi+i, . . . , Zj+j\r_i], however, it 
is assumed that Eve takes a more sophisticated approach than 
Bob and calculates the value of 'C based on the most likely 
value. Errors in Eve's calculation are therefore determined by 
the number of sequences with N/2 errors or more, given that 
the sequence has been accepted by Bob. Eve's error in the N- 
fold virtual channel is 6n, assuming Eve adds no noise (i.e. 
7 = 0). Hence, the best match that Eve can achieve to Bob's 
data is given by the binomial probability |7J, (SJ, 



$N = 



1 



P 



Total 



N 

E 

!j=jV/2 



N 



+Pf ->n) (5) 



where, Protal is the total number of states accepted by 
Bob, p nm is the probability that when the result of Alice's 
calculation (R + Noise) is 0, Bob's result is n and Eve's 
result is m. In this specific case their values are given by, 

PTotal — Pcorrect + Pettot ~ {1 — e) N + C N , 

Poo = (1 - a) 2 , 



Pox = ol , 



and 



Pio = Pxx = a(l - a). 



Considering only the special case that Bob has accepted a 
sequence and the sequence decoded by Eve has equal numbers 
of Is and 0s (that is, Eve has a 50% transmission error), we 
are left with, 

i ~ > ^U 2 ) (2(a - t>2) ~ ) ' 



At this point a choice of coding is made, deciding on the 
specific value of N = 2. Under these conditions the errors in 
Eve's calculation are given by, 

4(a-a 2 ) 2 

<W=2 > 5 • 

i^Total 

However equation [4] shows that when N = 2 and a = j3, 
Bob's error is also given by 

, 2 (2a-2a 2 ) 2 

£A/=2 = p = p ■ (6) 

"Total "Total 

Hence, Sn=2 is always strictly greater than ejv=2- It follows 
that I(X;Y) > I(Y;Z) and therefore S(X;Y\\Z) > (Sj. 
This is sufficient even if it is only true for the special case of 

N = 2. m 

This proposition is useful because it also provides a protocol 
with which a secret key can be established. Alice can repeat the 
exchange with same transmission steps (and different random 
variables C), knowing that Eve's ability to calculate the value 
will be worse than Bob's because Eve started with an imperfect 
code Z. This can be repeated until Alice and Bob have n-bit 
sets S n and S' n , where Prob(S ^ S' n ) < k. Likewise Eve will 
have S 1 " for which Prob(S = S 1 ") < A, for some choice of k 
and A. 

For sufficiently small k we have 

I(S n ; S n ) — I(S n ; S n ) ~ 1 — I(S n ; S n ) < fc, 

indicating that Eve's knowledge of S n is upper bounded by 
k. Therefore, privacy amplification fTT) can be used then be 
used to further reduce Eve's information using a hash function 
F ni k which performs a mapping from Alice and Bob's n bit 
sequence to a sequence of length n(l — k) bits. This creates 
new n(l - k) length sets F n . k {S") and F n . k {S') - F ntk (S) 
such that I(F n , k (S' , );F nik {S)) « 0. If the hash function 
F nik is decided after the protocol has been completed, Eve 
cannot influence the exchanges in advance in order to create 
a favorable situation. 

Figure [3] presents the results of a simulation of random 
data exchanged between Alice and Bob, followed by adding 
local noise (the first two steps in the protocol). The simulation 
modeled a real exchange, where bit strings and added noise 
were generated using a random number generator and the 
signal was sent virtually between analysis programs. In this 
case the random number generator fails a universal statistical 
test p3] so this particular exchange has limited capacity 
for generating actual secrecy, however, it does allow us to 
investigate the statistical effects of added noise. The solid 
line is an evaluation of equations [4] and [5] and the open and 
closed circles are the results of the simulation for Bob and 
Eve respectively. This simulation shows that for all values of 
noise a > to a < 1/2 (with a — f3) the noise in Eve's 
channel exceeds the noise in Bob's channel following the first 
exchange. 

III. Eavesdropping 

It is also worth considering the type of eavesdropping 
attacks that might be expected and how they are thwarted. 
For this purpose, the system can be broken down into two 
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N = 2 Channel Error 




Fig. 3. Theory vs simulation evaluations of the binary symmetric channel 
errors 7jv and ejy Ior the virtual channel for N=2 as a function of the error 
rate a. The solid line is from equations [4] and [3] and the points are the results 
of the simulations. For this graph, a = p and 100,000 samples were taken. It 
shows that the error rate for Eve always exceeds that of Bob for all choices 
of a. 



elements; the private channel in which the key material is 
exchanged and the public channel in which the two way 
communication used to distill the secret key takes place. 

The private channel is always used for the exchange of 
random variables which will be unknown to Bob in advance 
of the exchange. Hence it is possible that Eve could tamper 
or otherwise interfere with these transmissions by removing, 
altering or inserting symbols without Bob knowing. 

It is also assumed that Eve is only able to read but 
not modify messages in the authenticated public channel. 
Authentication in this case meaning that Alice and Bob are 
authenticated users rather than referring to the security of the 
connection itself. 

Eve has two possible attacks. Firstly she can look for 
correlations in the data exchanged and try to use this to gain 
insight into the final key (more than the insight she gains 
by simply following Alice and Bob's protocol). Secondly, 
she can manipulate the symbols exchanged; for example, by 
performing selected bit flips in some of the data exchanged. 

The first attack carries no additional information because 
the key is not sourced from the initial data but rather from 
the elements C used in subsequent exchanges. Moreover the 
noise, N A and N B and the virtual channel value C are chosen 
such that I(X; C) = I(Y; C) = I(Z; C) = 0, hence no 
information about C can be gained from observations of the 
initial code R. 

The second attack is somewhat more important because 
it can go unnoticed especially as Bob is already expecting 
unknown random data. However, as the statistics cannot be 
altered from the original and the number of bits must still 
be the same, Bob can perform local checks to ensure that 
the data is still random. Therefore the attack may be quite 
subtle. For example, it could be assumed that Eve's goal in 
manipulating the data is not to reveal the secret key itself but 
rather to reveal a few additional bits of each exchange that 
will be unaccounted for in the privacy amplification. Eve may 



:e.; 



Tamper Rate {%) 

Fig. 4. This figure shows simulations results of the percentage of values 
retained (PTotal) at the first exchange when Alice and Bob introduce 16% 
errors in their data, for an initial exchange of 5 X 10 5 bits. The error bars 
represent 1 standard deviation of error in the simulation results. Tampering is 
detectable at the 2-3% level. 



use this to gain a cryptographic break over the final key (Eve 
may, for example, wish to reduce the search space in a brute 
force key guessing attack). She may even consider an attack 
where small amounts of information accumulated over a very 
long period of time eventually reveals significant amounts of 
information (precisely how this is achieved is not considered 
here). A low level tampering attack is therefore an important 
consideration. 

As noted above, any tampering attack would take the form 
of introducing the tamper variable T, to the message text via 
R'i= Ri@ Ti before it is sent on to Bob. Bob's local variable 
therefore becomes 



Y! =Yi®Ti=R z ® N, 1 



'Ti. 



Eve cannot know N B therefore it is necessarily the case that 
I(N B ;T) = 0. The act of tampering modifies the binary 
symmetric channel between Alice and Bob (figure [2]) changing 
the error rate from e to e', 



(ft- 



2(/3 + r)a 



Ae 



where Ae = t(1— 2a), The result is an increase in the channel 
noise between Alice and Bob without changing the channel 
noise between Eve and Alice, assuming that Eve does not 
incorporate the tamper variable in her own data (if she does, 
her error actually exceeds Bob's and secrecy is maintained). 

Figure |4] shows the impact of tampering attacks on the value 
of PTotal for attacks modifying — 5% of the data. Hence, this 
particular tampering attack is detectable by examining PTotal 
which reduces as a function of r. Alice and Bob can monitor 
PTotal, with any significant drop indicating a tampering attack. 
A 2 — 5% attack is clearly detectable and is outside a standard 
deviation of variation of the untampered value. 

This leaves a potential vulnerability to tampering attacks 
that introduce less than 2% errors. The full protocol of key 
agreement now becomes important. It has already been shown 
that small amounts of tampering reduce Bob's mutual informa- 
tion with Alice and hence PTotal in the first exchange, however 
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Fig. 5. This figure shows simulations the final secret key after four rounds 
of data matching, for an initial exchange of 5 X 10 5 bits. The final key rate is 
given by (1 - I(S n ; S'^))PFinal, where Pnual is the final matching key 
agreed between Alice and Bob. The error bars represent 1 standard deviation 
statistical errors in the simulation results. In this simulation Alice and Bob 
introduce 16% errors in their data. 



it also, simultaneously, reduces Eve's mutual information with 
Bob. 

In their exchange, and in the presence of tampering, Alice 
and Bob will arrive at the key source St and S' T respectively 
which will have been reduced in size by Eve's tampering. 
However, as key agreement is driven by Bob and not Alice, 
the final value of I(St\ S t ) must therefore also be reduced, 
precisely because Eve has distanced herself from Bob. It 
remains the case that Eve's best attack is to do nothing. 

Finally in completing the protocol, Alice and Bob, unaware 
of the tampering, can always use a Hash code derived without 
knowing the details of the attack and assuming a perfect Eve. 
Figure [5] shows the final key agreed by Alice and Bob when 
Eve has tampered with the data. The key rate stays broadly flat 
with /(§„; S!^) ~ 0. This is true for small levels of tampering 
and the situation changes if the error is substantially above 
5%, hence continual monitoring of Protai is essential. Alice 
should therefore also keep track of the information that Eve 
would have at each level of the protocol. 

IV. Conclusion 

This paper demonstrates the exchange of secret keys us- 
ing an arbitrary communication channel with no a priori 
assumptions. This could therefore include channels such as the 
TCP/IP stack, or error corrected radio communication stacks. 
In this model Alice and Bob (the legitimate communicators) 
add noise to the data to simulate the action of a noisy channel. 
It has also been shown that a communication protocol exists 
that can be used to distill a secret key. 

The nature of the noise is however key to the secrecy 
and therefore it must be unpredictable. Hence, the essential 
element is that the noise should be supplied by a truly random 
source. In practice this means that it should probably be 
sourced from quantum effects as these are both unpredictable 
and cannot, typically, be externally manipulated. 

A feedback mechanism was also demonstrated where a new 
data set was constructed using a virtual error corrected channel 



exchanging data pairs. This was shown to be capable of 
enhancing the overlap between Alice and Bob while reducing 
the noise in Eve. A potential attack has been considered where 
Eve attempts to degrade her data. This attack has been shown 
to lead to increased secrecy. 

The final step of extracting a key uses a two-way feedback 
protocol. Such a protocol has not been considered in any detail 
in the current paper, however there are many examples in the 
literature that can be followed (see for example fTT) , |12|, 
(16|-|[T8J). 
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